Researchers, at Fortinet, have discovered an even newer variant of the “Backoff” Point-of-Sale malware family, 211G1, employing even more sophisticated techniques to hinder the analysis process and evade detection.
The newest version, detected as W32/Backoff.C!tr.spy, is now equipped with code that maps the image to its original base address before continuing to execute, putting even more roadblocks to the analysis process. The malware hides itself in the user’s application data folder but, unlike the previous version, randomly sele¬cts a name from a predefined list.
On November 3rd, FortiGuard researchers detected an updated version of “Backoff,” dubbed ROM, which performed many of the same functions as its predecessor, but leveraged a slew of new techniques that made the threat more difficult to detect and analyze. This version circumvented security controls by disguising itself as a media player with the file name mplayer.exe and dropping a file in the user’s Application Data folder.
FortiGuard researchers have observed that the malware authors are continuing to modify the threat in order to bypass security detection, and recommend that users continue to maintain updated antivirus software to better protect themselves from this evolving threat.